FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.

Slides:



Advertisements
Similar presentations
Dynamic Replica Placement for Scalable Content Delivery Yan Chen, Randy H. Katz, John D. Kubiatowicz {yanchen, randy, EECS Department.
Advertisements

High speed links, distributed services, can’t modify routers  Lack of visibility But, need for more visibility and control  Increased number and complexity.
Other File Systems: LFS and NFS. 2 Log-Structured File Systems The trend: CPUs are faster, RAM & caches are bigger –So, a lot of reads do not require.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition File-System Interface.
Professor Michael J. Losacco CIS 1150 – Introduction to Computer Information Systems Communications and Networks Chapter 8.
CS 550 Amoeba-A Distributed Operation System by Saie M Mulay.
OSMOSIS Final Presentation. Introduction Osmosis System Scalable, distributed system. Many-to-many publisher-subscriber real time sensor data streams,
Kyushu University Graduate School of Information Science and Electrical Engineering Department of Advanced Information Technology Supervisor: Professor.
Federated DAFS: Scalable Cluster-based Direct Access File Servers Murali Rangarajan, Suresh Gopalakrishnan Ashok Arumugam, Rabita Sarker Rutgers University.
An Overlay Multicast Infrastructure for Live/Stored Video Streaming Visual Communication Laboratory Department of Computer Science National Tsing Hua University.
Implementing Network File System Policies with FileWall Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode Department.
Adaptive Content Delivery for Scalable Web Servers Authors: Rahul Pradhan and Mark Claypool Presented by: David Finkel Computer Science Department Worcester.
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
NFS. The Sun Network File System (NFS) An implementation and a specification of a software system for accessing remote files across LANs. The implementation.
11 SERVER CLUSTERING Chapter 6. Chapter 6: SERVER CLUSTERING2 OVERVIEW  List the types of server clusters.  Determine which type of cluster to use for.
Understanding Active Directory
File Systems (2). Readings r Silbershatz et al: 11.8.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.
Internet Traffic Management Prafull Suryawanshi Roll No - 04IT6008.
TIBCO Designer TIBCO BusinessWorks is a scalable, extensible, and easy to use integration platform that allows you to develop, deploy, and run integration.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Windows ® Powered NAS. Agenda Windows Powered NAS Windows Powered NAS Key Technologies in Windows Powered NAS Key Technologies in Windows Powered NAS.
Distributed File Systems Concepts & Overview. Goals and Criteria Goal: present to a user a coherent, efficient, and manageable system for long-term data.
A Brief Taxonomy of Firewalls
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Composing Software Defined Networks Jennifer Rexford Princeton University With Joshua Reich, Chris Monsanto, Nate Foster, and.
Operating System Concepts with Java – 7 th Edition, Nov 15, 2006 Silberschatz, Galvin and Gagne ©2007 Chapter 10: File-System Interface.
Report : Zhen Ming Wu 2008 IEEE 9th Grid Computing Conference.
Interposed Request Routing for Scalable Network Storage Darrell Anderson, Jeff Chase, and Amin Vahdat Department of Computer Science Duke University.
Networked File System CS Introduction to Operating Systems.
1 Network File Sharing. 2 Module - Network File Sharing ♦ Overview This module focuses on configuring Network File System (NFS) for servers and clients.
Internet Traffic Management. Basic Concept of Traffic Need of Traffic Management Measuring Traffic Traffic Control and Management Quality and Pricing.
Chapter 1: Introduction to Web Applications. This chapter gives an overview of the Internet, and where the World Wide Web fits in. It then outlines the.
1 Liquid Software Larry Peterson Princeton University John Hartman University of Arizona
ANNA UNIVERSITY, CHENNAI PROJECT VIVA FINAL YEAR MCA( ) 04/07/2013.
RELATIONAL FAULT TOLERANT INTERFACE TO HETEROGENEOUS DISTRIBUTED DATABASES Prof. Osama Abulnaja Afraa Khalifah
Chapter 10: File-System Interface Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Jan 1, 2005 Chapter 10: File-System.
Module 11: Implementing ISA Server 2004 Enterprise Edition.
CMAQ Runtime Performance as Affected by Number of Processors and NFS Writes Patricia A. Bresnahan, a * Ahmed Ibrahim b, Jesse Bash a and David Miller a.
Sandor Acs 05/07/
A Measurement Based Memory Performance Evaluation of High Throughput Servers Garba Isa Yau Department of Computer Engineering King Fahd University of Petroleum.
On the Performance of TCP Splicing for URL-aware Redirection Ariel Cohen, Sampath Rangarajan, and Hamilton Slye The 2 nd USENIX Symposium on Internet Technologies.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
A Utility-based Approach to Scheduling Multimedia Streams in P2P Systems Fang Chen Computer Science Dept. University of California, Riverside
Computer Science Lecture 19, page 1 CS677: Distributed OS Last Class: Fault tolerance Reliable communication –One-one communication –One-many communication.
 Load balancing is the process of distributing a workload evenly throughout a group or cluster of computers to maximize throughput.  This means that.
Latency Reduction Techniques for Remote Memory Access in ANEMONE Mark Lewandowski Department of Computer Science Florida State University.
CS 346 – Chapter 11 File system –Files –Access –Directories –Mounting –Sharing –Protection.
FRAC: Implementing Role-Based Access Control for Network File Systems Aniruddha Bohra, Stephen Smaldone, and Liviu Iftode Department of Computer Science.
WNAG Report to UCIST April 2004 Presented by Bruce Campbell Engineering Computing.
 Introduction  Architecture NameNode, DataNodes, HDFS Client, CheckpointNode, BackupNode, Snapshots  File I/O Operations and Replica Management File.
Manish Kumar,MSRITSoftware Architecture1 Remote procedure call Client/server architecture.
COT 4600 Operating Systems Fall 2009 Dan C. Marinescu Office: HEC 439 B Office hours: Tu-Th 3:00-4:00 PM.
Improving the Reliability of Commodity Operating Systems Michael M. Swift, Brian N. Bershad, Henry M. Levy Presented by Ya-Yun Lo EECS 582 – W161.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Distributed File Systems Questions answered in this lecture: Why are distributed file systems useful? What is difficult about distributed file systems?
Chapter Five Distributed file systems. 2 Contents Distributed file system design Distributed file system implementation Trends in distributed file systems.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Some Great Open Source Intrusion Detection Systems (IDSs)
Module Overview Installing and Configuring a Network Policy Server
ETHANE: TAKING CONTROL OF THE ENTERPRISE
Chapter 2: System Structures
Chapter 3: Windows7 Part 4.
PPPoE Internet Point to Point Protocol over Ethernet
Design Unit 26 Design a small or home office network
Firewalls Types of Firewalls Inspection Methods Firewall Architecture
IP Control Gateway (IPCG)
Presentation transcript:

FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer Science Rutgers University Workshop on Spontaneous Networking May 12, 2006

Workshop on Spontaneous Networking File System Management  Organization: Too many files, directories, servers…  Protection: Left to the discretion of the owner  Dynamism: Cannot be incorporated without file system extension

Workshop on Spontaneous Networking File System Management  Organization: Too many files, directories, servers…  Protection: Left to the discretion of the owner  Dynamism: Cannot be incorporated without file system extension Administrator has little control over file access policies

Workshop on Spontaneous Networking Observations  File names are powerful Can be used to implement access policies  All file system access are performed through messages Message transformations can be used to enforce policies File system state can be constructed using information contained in messages

Workshop on Spontaneous Networking Observations  File names are powerful Can be used to implement access policies  All file system access are performed through messages Message transformations can be used to enforce policies File system state can be constructed using information contained in messages Access policies can be implemented by interposition and message transformation

Workshop on Spontaneous Networking FireWall  Interposes on the client- server path  Stores network flow history  Evaluates each message against the firewall policies  Passes-through, drops, or transforms network packets

Workshop on Spontaneous Networking FileWall  Interposes on client-server path  Stores file access history  Evaluates each message against FileWall policies  Transforms file system messages

Workshop on Spontaneous Networking FileWall  Interposes on client-server path  Stores file access history  Evaluates each message against FileWall policies  Transforms file system messages FileWall constructs virtual namespaces using file system namespaces and access policies through message transformation

Workshop on Spontaneous Networking Applications of FileWall Model  Access control  Quality of Service (QoS)  File system organization  Intrusion detection  Information Lifecycle Management (ILM)  Data transformations  …

Workshop on Spontaneous Networking Outline  Motivation  Design Access Context FileWall Policies  Implementation  Evaluation  Related Work  Conclusions

Workshop on Spontaneous Networking Access Context  Access history Access statistics Sequence of accesses Describes user behavior  Environment Time, available disk space, CPU load, etc.

Workshop on Spontaneous Networking Maintaining Access Context  Requirements Compact representation Contain semantic information which describes user behavior Easy to understand and specify Soft state

Workshop on Spontaneous Networking Access Tree  Node = file “run” Groups of accesses performed by same application Open to close or approximate using clustered accesses  Attributes File name Type of run (READ, WRITE, etc.) Operation count  Edge Run started after and ended before parent  Depth-first traversal defines sequence of runs in an access tree

Workshop on Spontaneous Networking Access Tree Example Root

Workshop on Spontaneous Networking Access Tree Example Read 1 Root 1

Workshop on Spontaneous Networking Access Tree Example Read 1, Create/Delete 2 Root 1 2

Workshop on Spontaneous Networking Access Tree Example Read 1, Create/Delete 2, Read/Write 3 Root 1 2 3

Workshop on Spontaneous Networking Access Tree Example Read 1, Create/Delete 2, Read/Write 3, Write 1 Root

Workshop on Spontaneous Networking Outline  Motivation  Design Access Context FileWall Policies  Implementation  Evaluation  Related Work  Conclusions

Workshop on Spontaneous Networking FileWall Policies  Transform messages (requests and replies) Sequence of rules INPUT and OUTPUT  Use: Access context File attributes contained in messages

Workshop on Spontaneous Networking FileWall Policy Example  Policy: “Show files accessed today”  For each client-visible file: Access Time = TODAY  Transform directory listing messages READDIR and READDIRPLUS

Workshop on Spontaneous Networking FileWall Policy Example Access Context Policies FileWall

Workshop on Spontaneous Networking FileWall Policy Example Access Context Policies M READDIR FileWall

Workshop on Spontaneous Networking FileWall Policy Example Access Context Policies READDIR FileWall

Workshop on Spontaneous Networking FileWall Policy Example Access Context Policies READDIR FileWall

Workshop on Spontaneous Networking FileWall Policy Example Access Context Policies READDIRREADDIRPLUS FileWall

Workshop on Spontaneous Networking FileWall Policy Example Access Context Policies READDIRPLUS FileWall

Workshop on Spontaneous Networking FileWall Policy Example Access Context Policies READDIRPLUS FileWall

Workshop on Spontaneous Networking FileWall Policy Example Access Context Policies READDIRPLUS FileWall

Workshop on Spontaneous Networking FileWall Policy Example Access Context Policies READDIRPLUSREADDIR FileWall

Workshop on Spontaneous Networking Policy Descriptors  INPUT Rule: int fwin(rpc_msg request) { if (request.proc == READDIR) { request.proc = READDIRPLUS; return FORWARD; }  OUTPUT Rule: int fwout(rpc_msg reply) { if (reply.proc == READDIRPLUS) { FOREACH entp in reply { if (entp.atime == TODAY) copy_entry(resp_entp, entp) } reply.entries = res_entp; reply.proc = READDIR; return FORWARD; } Specified as C programs and compiled as loadable shared modules

Workshop on Spontaneous Networking Outline  Motivation  Design Access Context FileWall Policies  Implementation  Evaluation  Related Work  Conclusions

Workshop on Spontaneous Networking Implementation  FileWall: Click Modular Router NFS over UDP

Workshop on Spontaneous Networking Implementation  FileWall Click Modular Router NFS over UDP  FileWall Client SFS toolkit Session establishment Bootstrapping Identify list of available file systems

Workshop on Spontaneous Networking Outline  Motivation  Design Access Context FileWall Policies  Implementation  Evaluation  Related Work  Conclusions

Workshop on Spontaneous Networking Interposition Overhead: Emacs Compilation

Workshop on Spontaneous Networking Case Study: Flash Crowd Mitigation  General purpose server , user homes, web server Files mounted over NFS  Web servers are prone to flash crowds  Current policies Rate limit number of requests Disable web server

Workshop on Spontaneous Networking Mitigating Flash Crowds with FileWall  Access context Rate of sequential file reads, directory listings, etc.  Policy Hide files with rate greater than a threshold Show files again when rate falls below threshold  Only the source of the flash crowd disappears from the namespace

Workshop on Spontaneous Networking Results

Workshop on Spontaneous Networking Related Work  Infokernel [Arpaci-Dusseau ‘03], firewall/NAT  Access Context Desktop search [Soules ’03] File system prefetching [Amer ’02, Lei ’97] Enforcing enterprise-wide policies [He ’05]  Semantic file systems [Sheldon ’91, Pike ’93, Neuman ’92, Rao ’93]  Extensible file systems [Zadok ’00, Tewari ’05]

Workshop on Spontaneous Networking Future Work  User study Real deployment Behavior models

Workshop on Spontaneous Networking Future Work  User study Real deployment Behavior models  Policy language Constraints Debugging and logging

Workshop on Spontaneous Networking Future Work  User study Real deployment Behavior models  Policy language Constraints Debugging and logging  Data transformations Censorship Protocol translations NFS -> CIFS Recipe-based file system (CASPER) IP -> RDMA Video encoding Content adaptation

Workshop on Spontaneous Networking Conclusions  Per-file access policies can be enforced using virtual namespaces No client or server modification required Soft state maintenance required

Workshop on Spontaneous Networking Conclusions  Per-file access policies can be enforced using virtual namespaces No client or server modification required Soft state maintenance required  Provides administrators the ability to define a wide variety of access policies Protect file systems Provide quality of service

Thank You Questions?

Workshop on Spontaneous Networking Evaluation  Dell Poweredge 2600 systems Dual 2.4GHz Intel Xeon processors 1GB RAM 36GB RPM SCSI disk  Linux  Gigabit Ethernet switch

Workshop on Spontaneous Networking QoS Policy

Workshop on Spontaneous Networking Policy Enforcement Requirements  Expressive  Deployable  Scalable  Available

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.